Hailey1d ago
Cooked up a binaryninja plugin that knows how to disassemble VxDCall macros. This is a funky dynamic linking mechanism used in the Windows 9x kernel, it's an int 0x20 followed by an inline dword representing the 16 bit device id and service ordinal which is being called. The kernel patches these sequences with a regular call instruction directly invoking the target service the first time each is executed
Show threadHailey1d ago

The plugin lifts each VxDCall/VMMCall macro into binaryninja's low-level intermediate language by translating it to two IL instructions: a VxD_Get_Service_Address instrinsic which loads the target address into a temporary, and a plain old call or jump instruction so binaryninja can understand and analyze the branch.

Then, an analysis pass replaces those VxD_Get_Service_Address intrinsics with a direct reference to the resolved service, if the service table was found in the binary being analysed -

Cindʎ Xiao 🍉1d ago
Show threadHailey

And the result is a very readable high-level decompilation! It'll be even better once I transcribe type information from the DDK documentation into a C header file for binaryninja to load!!

plugin's on codeberg, it's in C++ https://codeberg.org/hails/vxdninja

Apr 1 at 5:10amWeb
Show threadHailey23h ago
and found a binaryninja bug hehehe https://github.com/Vector35/binaryninja-api/pull/8050
Fix stack adjustment for x86 pop r16 by haileys · Pull Request #8050 · Vector35/binaryninja-api

Related to #4028 pop r16 is lifted incorrectly and adjusts the stack by the wrong size: This PR changes the lifting to always pop the memory operand size and insert a LLIL_LOW_PART if the destinat...

GitHub
Show thread✧✦Catherine✦✧23h ago
@hailey i had you completely confused with some other hailey who is a dog
Show threadHailey23h ago
@whitequark i'm a fennec!
Show thread✧✦Catherine✦✧23h ago
@hailey oh!!!
Show threadBinary Ninja14h ago
@hailey Good find! We're in the middle of the 5.3 release process now so might be a bit before we can give the PR a review, but thanks so much for the fix with code!
Show threadCindʎ Xiao 🍉1d ago
@hailey Nice stuff!! Great example of using the Workflow feature, too